All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @harryhcg , let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all th... See more...
Hi @harryhcg , let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
@yuanliu - Its not working for this requirement. I see its returning entire output field value multiple times (equal to number of lines in the field.)
Hi Megha, I am getting the same error in agent logs. can you please let me know where to pass this argument.
Regarding regex suggestion, still have issue.  Error - Regex: missing terminating ] for character class.   Analysing raw data to use spath. Thank you @gcusello @yuanliu 
I have it solved - no idea what it was but after I rebooted all of the machines it start to work... Thanks!  BTW - when my 60 days of test period are done and I go back to the free license. Will th... See more...
I have it solved - no idea what it was but after I rebooted all of the machines it start to work... Thanks!  BTW - when my 60 days of test period are done and I go back to the free license. Will the forwarders work or do I need a prof. license? I am pretty sure my 3 workstations will not exceed the 500MB / day limit!
Hi @Ricco19 , there isn't any difference in the search performances: the IN operator is a simplification in the search writing when there are many values. Ciao. Giuseppe
Is there any performance impact when used, index IN ("windows_server") OR  index="windows_server"  ?
Hi @smanojkumar , if you have the pair fieldname=fieldvalue, you should already have the extraction. anyway, you could use two regexes like the following: | rex "OS\=\"(?<OS>[^\"]*)" | rex "OSRele... See more...
Hi @smanojkumar , if you have the pair fieldname=fieldvalue, you should already have the extraction. anyway, you could use two regexes like the following: | rex "OS\=\"(?<OS>[^\"]*)" | rex "OSRelease\=\"(?<OSRelease>[^\"]*)"  Ciao. Giuseppe
Hi Splunkers!    I need to extract the specific field which dosent consists of sourcetype in logs, Fields to extract - OS, OSRelease     Thanks in Advance, Manoj Kumar S
Based on your illustrated data, the id field seems to have a certain format that can help you extract only location.  For example,   | rex field=id "^[A-Z]{2}_(?<location>\D[^_]*)"   will give yo... See more...
Based on your illustrated data, the id field seems to have a certain format that can help you extract only location.  For example,   | rex field=id "^[A-Z]{2}_(?<location>\D[^_]*)"   will give you id location EF_jblo_fdsfew42_sla jblo EF_space_332312_sla space EF_97324_pewpew_sla   If you can find the correct format and a regex that populates location only when the format is correct, you can use OUTPUTNEW feature in lookup. (Automatic lookup also has OUTPUTNEW feature; I believe it is default.) This way, you do not have to perform the field name acrobat.
The command is called multikv. | rename _raw as temp, output AS _raw | rex mode=sed "s/\|/,/g" | multikv | rename temp as _raw
First, about data illustration. Always use text illustration; when illustrating structure data such as JSON, always use raw text.  Screenshot is extremely difficult for volunteers to comprehend; th... See more...
First, about data illustration. Always use text illustration; when illustrating structure data such as JSON, always use raw text.  Screenshot is extremely difficult for volunteers to comprehend; they oftentimes also distort characteristics. Always anonymize illustrated data. (One of your screenshots seems to contain information you do not want to divulge.) Illustrate how you envision the output, use mockup. Explain logic between illustrated data and desired output if it is not obvious. (It may be obvious to you but not to volunteers who are not intimately familiar with your data and use case.) This said, your later code suggests that key information "sync/c2v" is contained in the non-JSON part of "message".  You need to extract that first (I'll put it in leadtext), then evaluate Description based on whether that information is present. there is a field properties.correlationId that links ERROR event and INFO events, therefore transaction ID that is also contained in the non-JSON part of message is not needed.  Is this correct? If these guesses are correct, you are looking for something like   index=us_whcrm source=MuleUSAppLogs sourcetype= "bmw-crm-wh-xl-retail-amer-prd-api" ((severity=ERROR "Transatcion") OR (severity=INFO "Received Payload")) | rex field=message "(?<leadtext>[^{]+):\s*(?<payload>{.+})" | eval Description = if(match(leadtext, "flow ended put:\\sync\\c2v"), "COO", "RDR") | spath input=payload | rename properties.correlationId as correlationId processRetailDeliveryReporting.processRetailDeliveryReportingDataArea.retailDeliveryReporting.retailDeliveryReportingVehicleLineItem.vehicle.vehicleID as VinId | eval BMWUnit=replace(BMWUnit,"([file://w%7b3%7d)(/w%7b2%7d]\\w{3})(\\w{2})", "\\1-\\2") | table _time correlationId BMWUnit dealerId Description VinId | stats earliest(_time) as _time values(*) as * by correlationId | where Description == "COO"    Hope this helps
I have field in the event which has multi-line data (between double quotes) and I need to split them into individual lines and finally extract them into a table format for each of the header. Basical... See more...
I have field in the event which has multi-line data (between double quotes) and I need to split them into individual lines and finally extract them into a table format for each of the header. Basically, the requirement is to report this data in table format to users. output = "DbName|CurrentSizeGB|UsedSpaceGB|FreeSpaceGB|ExtractedDate abc|60.738|39.844|20.894|Sep 5 2023 10:00AM def|0.098|0.017|0.081|Sep 5 2023 10:00AM pqr|15.859|0.534|15.325|Sep 5 2023 10:00AM xyz|32.733|0.675|32.058|Sep 5 2023 10:00AM"
Can you share your props.conf file. i think you are forcing splunk to take _time as processedtime in logs
Hi all! Recently there has been a need to implement a centralized Splunk setup on Linux machines. I managed to do this without using ansible, starting from the script by lguinn2 : https://community.... See more...
Hi all! Recently there has been a need to implement a centralized Splunk setup on Linux machines. I managed to do this without using ansible, starting from the script by lguinn2 : https://community.splunk.com/t5/Getting-Data-In/Simple-installation-script-for-Universal-Forwarder/m-p/21517. Today I want to share with everyone, of course, if you have any comments or improvements, please write! I got two slightly different scripts, 1 for CentOS and SuSe, 2 for Ubuntu and Debian. Why, because different installation packages were used. Yes, yes, it was possible to do something differently, I just had to make it as quickly as possible, and the level of knowledge of Linux is also hoarse)  Well, this post is for people like me)) Note. The script has been tested on an Ubuntu distribution, so it is recommended that you work on an Ubuntu machine. Successful completion of work requires SSH access to target devices, the ability to execute ssh and sshpass commands. All target machines must have an identical account with the same password, and this account must be as superuser (with the ability to run commands via sudo). MyForwarders and MyForwarders_U are simple text files for storing IP addresses of target machines: I think for the rest everything is clear from the description, even if there are questions during the time, you will understand everything! 1. #!/bin/bash # Credentials of the user who will connect to the target host and run Splunk. read -p "Enter SSH user name: " username echo -n "Enter SSH user password: " stty -echo read password stty echo echo INSTALLED=False # Logging file for Splunk status STATUS_LOG="/home/zhanali/splunk_status.txt" # File with machine's IPs HOSTS_FILE="/home/zhanali/MyForwarders" # Installation file location INSTALL_FILE="/home/zhanali/splunkforwarder-9.1.0.1-77f73c9edb85.x86_64.rpm" PREPARE_COMMANDS=" echo $password | sudo -S -k mkdir /opt/splunkforwarder 2>/dev/null echo $password | sudo -S -k chown -R splunk:splunk /opt/splunkforwarder 2>/dev/null " INSTALL_COMMANDS=" echo $password | sudo -S -k chmod 644 /opt/splunkforwarder/splunkforwarder-9.1.0.1-77f73c9edb85.x86_64.rpm 2>/dev/null echo $password | sudo -S -k rpm -i /opt/splunkforwarder/splunkforwarder-9.1.0.1-77f73c9edb85.x86_64.rpm 2>/dev/null echo $password | sudo -S -k /opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --no-prompt --seed-passwd '!@#qweasdZXC' 2>/dev/null echo 'Please wait 10 second....' sleep 10 echo $password | sudo -S -k /opt/splunkforwarder/bin/splunk stop 2>/dev/null echo $password | sudo -S -k /opt/splunkforwarder/bin/splunk disable boot-start 2>/dev/null echo $password | sudo -S -k chown -R splunk:splunk /opt/splunkforwarder 2>/dev/null echo $password | sudo -S -k /opt/splunkforwarder/bin/splunk enable boot-start -user $username 2>/dev/null echo $password | sudo -S -k /opt/splunkforwarder/bin/splunk start 2>/dev/null echo $password | sudo -S -k mkdir /home/$username/.splunk 2>/dev/null echo $password | sudo -S -k chmod 777 -R /home/$username/.splunk 2>/dev/null echo $password | sudo -S -k sudo -u $username /opt/splunkforwarder/bin/splunk add forward-server 172.16.30.104:9997 -auth 'admin':'!@#qweasdZXC' 2>/dev/null echo $password | sudo -S -k sudo -u $username /opt/splunkforwarder/bin/splunk set deploy-poll 172.16.30.104:8089 -auth 'admin':'!@#qweasdZXC' 2>/dev/null " echo "In 5 seconds, will run the following script on each remote host:" echo sleep 5 echo "Reading host IPs from $HOSTS_FILE" echo echo "Starting." for DST in `cat "$HOSTS_FILE"`; do if [ -z "$DST" ]; then continue; fi echo "---------------------------------" | tee -a $STATUS_LOG echo "Starting work with $DST" | tee -a $STATUS_LOG sshpass -p $password ssh -q $username@$DST [[ -f /opt/splunkforwarder/bin/splunk ]] && INSTALLED=True || INSTALLED=False if [ "$INSTALLED" = "True" ]; then echo "Splunk UF is already installed" | tee -a $STATUS_LOG version=$(sshpass -p $password ssh $username@$DST "echo $password | sudo -S -k /opt/splunkforwarder/bin/splunk version | grep 'Splunk Universal Forwarder'" 2>/dev/null) echo "Splunk UF version: $version" | tee -a $STATUS_LOG status=$(sshpass -p $password ssh $username@$DST "echo $password | sudo -S -k /opt/splunkforwarder/bin/splunk status | grep 'splunkd is '" 2>/dev/null) echo "Splunk UF status: $status" | tee -a $STATUS_LOG dep=$(sshpass -p $password ssh $username@$DST "echo $password | sudo -S -k cat /opt/splunkforwarder/etc/system/local/deploymentclient.conf | grep '172.16.30.104:8089'" 2>/dev/null) fwd=$(sshpass -p $password ssh $username@$DST "echo $password | sudo -S -k cat /opt/splunkforwarder/etc/system/local/outputs.conf | grep '172.16.30.104:9997'" 2>/dev/null) if [ -z "$dep" ]; then echo "Deployment server is not configured" | tee -a $STATUS_LOG else echo "Deployment server is configured" | tee -a $STATUS_LOG fi if [ -z "$fwd" ]; then echo "Forward server is not configured" | tee -a $STATUS_LOG else echo "Forward server is configured" | tee -a $STATUS_LOG fi INSTALLED=False else echo "Splunk UF is not installed to host $DST" | tee -a $STATUS_LOG echo "Installing..." | tee -a $STATUS_LOG sshpass -p $password ssh $username@$DST "$PREPARE_COMMANDS" sshpass -p $password scp $INSTALL_FILE $username@$DST:/opt/splunkforwarder sshpass -p $password ssh $username@$DST "$INSTALL_COMMANDS" echo "Installation is done" | tee -a $STATUS_LOG echo "Checking..." | tee -a $STATUS_LOG status=$(sshpass -p $password ssh $username@$DST "echo $password | sudo -S -k /opt/splunkforwarder/bin/splunk status | grep 'splunkd is '" 2>/dev/null) echo "Splunk UF status: $status" | tee -a $STATUS_LOG dep=$(sshpass -p $password ssh $username@$DST "echo $password | sudo -S -k cat /opt/splunkforwarder/etc/system/local/deploymentclient.conf | grep '172.16.30.104:8089'" 2>/dev/null) fwd=$(sshpass -p $password ssh $username@$DST "echo $password | sudo -S -k cat /opt/splunkforwarder/etc/system/local/outputs.conf | grep '172.16.30.104:9997'" 2>/dev/null) if [ -z "$dep" ]; then echo "Deployment server is not configured" | tee -a $STATUS_LOG else echo "Deployment server is configured" | tee -a $STATUS_LOG fi if [ -z "$fwd" ]; then echo "Forward server is not configured" | tee -a $STATUS_LOG else echo "Forward server is configured" | tee -a $STATUS_LOG fi fi echo "---------------------------------" | tee -a $STATUS_LOG done echo "Done" And 2. #!/bin/bash # Credentials of the user who will connect to the target host and run Splunk. read -p "Enter SSH user name: " username echo -n "Enter SSH user password: " stty -echo read password stty echo echo INSTALLED=False # Logging file for Splunk status STATUS_LOG="/home/zhanali/splunk_status.txt" # File with machine's IPs HOSTS_FILE="/home/zhanali/MyForwarders_U" # Installation file location INSTALL_FILE="/home/zhanali/splunkforwarder-9.1.0.1-77f73c9edb85-linux-2.6-amd64.deb" PREPARE_COMMANDS=" echo $password | sudo -S -k mkdir /opt/splunkforwarder 2>/dev/null echo $password | sudo -S -k chown -R splunk:splunk /opt/splunkforwarder 2>/dev/null " INSTALL_COMMANDS=" echo $password | sudo -S -k dpkg -i /opt/splunkforwarder/splunkforwarder-9.1.0.1-77f73c9edb85-linux-2.6-amd64.deb 2>/dev/null echo $password | sudo -S -k /opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --no-prompt --seed-passwd '!@#qweasdZXC' 2>/dev/null echo 'Please wait 10 second....' sleep 10 echo $password | sudo -S -k chown -R splunk:splunk /opt/splunkforwarder 2>/dev/null echo $password | sudo -S -k /opt/splunkforwarder/bin/splunk stop 2>/dev/null echo $password | sudo -S -k /opt/splunkforwarder/bin/splunk enable boot-start -user $username 2>/dev/null echo $password | sudo -S -k /opt/splunkforwarder/bin/splunk start 2>/dev/null echo 'Please wait 5 second....' sleep 5 echo $password | sudo -S -k sudo -u $username /opt/splunkforwarder/bin/splunk add forward-server 172.16.30.104:9997 -auth 'admin':'!@#qweasdZXC' 2>/dev/null echo $password | sudo -S -k sudo -u $username /opt/splunkforwarder/bin/splunk set deploy-poll 172.16.30.104:8089 -auth 'admin':'!@#qweasdZXC' 2>/dev/null " echo "In 5 seconds, will run the following script on each remote host:" echo sleep 5 echo "Reading host IPs from $HOSTS_FILE" echo echo "Starting." for DST in `cat "$HOSTS_FILE"`; do if [ -z "$DST" ]; then continue; fi echo "---------------------------------" | tee -a $STATUS_LOG echo "Starting work with $DST" | tee -a $STATUS_LOG sshpass -p $password ssh -q $username@$DST [[ -f /opt/splunkforwarder/bin/splunk ]] && INSTALLED=True || INSTALLED=False if [ "$INSTALLED" = "True" ]; then echo "Splunk UF is already installed" | tee -a $STATUS_LOG version=$(sshpass -p $password ssh $username@$DST "echo $password | sudo -S -k /opt/splunkforwarder/bin/splunk version | grep 'Splunk Universal Forwarder'" 2>/dev/null) echo "Splunk UF version: $version" | tee -a $STATUS_LOG status=$(sshpass -p $password ssh $username@$DST "echo $password | sudo -S -k /opt/splunkforwarder/bin/splunk status | grep 'splunkd is '" 2>/dev/null) echo "Splunk UF status: $status" | tee -a $STATUS_LOG dep=$(sshpass -p $password ssh $username@$DST "echo $password | sudo -S -k cat /opt/splunkforwarder/etc/system/local/deploymentclient.conf | grep '172.16.30.104:8089'" 2>/dev/null) fwd=$(sshpass -p $password ssh $username@$DST "echo $password | sudo -S -k cat /opt/splunkforwarder/etc/system/local/outputs.conf | grep '172.16.30.104:9997'" 2>/dev/null) if [ -z "$dep" ]; then echo "Deployment server is not configured" | tee -a $STATUS_LOG else echo "Deployment server is configured" | tee -a $STATUS_LOG fi if [ -z "$fwd" ]; then echo "Forward server is not configured" | tee -a $STATUS_LOG else echo "Forward server is configured" | tee -a $STATUS_LOG fi INSTALLED=False else echo "Splunk UF is not installed to host $DST" | tee -a $STATUS_LOG echo "Installing..." | tee -a $STATUS_LOG sshpass -p $password ssh $username@$DST "$PREPARE_COMMANDS" sshpass -p $password scp $INSTALL_FILE $username@$DST:/opt/splunkforwarder sshpass -p $password ssh $username@$DST "$INSTALL_COMMANDS" echo "Installation is done" | tee -a $STATUS_LOG echo "Checking..." | tee -a $STATUS_LOG status=$(sshpass -p $password ssh $username@$DST "echo $password | sudo -S -k /opt/splunkforwarder/bin/splunk status | grep 'splunkd is '" 2>/dev/null) echo "Splunk UF status: $status" | tee -a $STATUS_LOG dep=$(sshpass -p $password ssh $username@$DST "echo $password | sudo -S -k cat /opt/splunkforwarder/etc/system/local/deploymentclient.conf | grep '172.16.30.104:8089'" 2>/dev/null) fwd=$(sshpass -p $password ssh $username@$DST "echo $password | sudo -S -k cat /opt/splunkforwarder/etc/system/local/outputs.conf | grep '172.16.30.104:9997'" 2>/dev/null) if [ -z "$dep" ]; then echo "Deployment server is not configured" | tee -a $STATUS_LOG else echo "Deployment server is configured" | tee -a $STATUS_LOG fi if [ -z "$fwd" ]; then echo "Forward server is not configured" | tee -a $STATUS_LOG else echo "Forward server is configured" | tee -a $STATUS_LOG fi fi echo "---------------------------------" | tee -a $STATUS_LOG done echo "Done"  
Hi @harryhcg, this seems to be a json format, so, as @yuanliu hinted, try to use the "spath" command (https://community.splunk.com/t5/Splunk-Enterprise/spath-command/m-p/518343) . About your regex,... See more...
Hi @harryhcg, this seems to be a json format, so, as @yuanliu hinted, try to use the "spath" command (https://community.splunk.com/t5/Splunk-Enterprise/spath-command/m-p/518343) . About your regex, try to add another backslash to your regex: | rex "RETURN\\\\"\:\\\\"(?<Field2>[^\\]+)" Ciao. Giuseppe
Hi @lucky, as also @yuanliu asked, you should better desctibe your requirement: did you already ingested data? did you installed the Add-Ons to correctly parse data? are you speaking of Windows ... See more...
Hi @lucky, as also @yuanliu asked, you should better desctibe your requirement: did you already ingested data? did you installed the Add-Ons to correctly parse data? are you speaking of Windows or Linux systems, Anyway the answer depends on these information. Supponing that you are speaking of windows systems, that you already installed the requested Add-On (Splunk_TA_Windows) and that you already ingested the requested data (perfmon:CPU and perfmon:Memory), you could run something like this: index=windows sourcetype=WinHostMon Type=Processor $host$ | eval host=upper(host) | dedup host | sort host | table Name NumberOfCores Architecture ClockSpeedMHz Manufacturer | rename name AS CPU Manufacturer AS "CPU Manufacturer" and index=windows sourcetype=WinHostMon Type=OperatingSystem $host$ | eval host=upper(host) | dedup host | sort host | eval FreePhysicalMemoryGB=FreePhysicalMemoryKB/1024/1024, FreeVirtualMemoryGB=FreeVirtualMemoryKB/1024/1024, TotalPhysicalMemoryGB=TotalPhysicalMemoryKB/1024/1024, TotalVirtualMemoryGB=TotalVirtualMemoryKB/1024/1024, Virtual_mem_free_percent=FreeVirtualMemoryKB/TotalVirtualMemoryKB*100 | table FreePhysicalMemoryGB TotalPhysicalMemoryGB mem_free_percent FreeVirtualMemoryGB TotalVirtualMemoryGB Virtual_mem_free_percent | rename FreePhysicalMemoryGB AS "Free Physical Memory" TotalPhysicalMemoryGB AS "Total Physical Memory" mem_free_percent AS "Free Physical Memory%" FreeVirtualMemoryGB AS "Free Virtual Memory" TotalVirtualMemoryGB AS "Total Virtual Memory" Virtual_mem_free_percent AS "Free Virtual Memory%" to adapt to your requirements. Ciao. Giuseppe  
To get help about data analysis, you want to explain what data you have (preferably with text illustration), key characteristics of data, illustrate your desired output, and the logic between data an... See more...
To get help about data analysis, you want to explain what data you have (preferably with text illustration), key characteristics of data, illustrate your desired output, and the logic between data and output. Hope this helps.
Hi @lucky , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
As @VatsalJagani said, you are not limited to using delimiters in Splunk field extraction.  I just posted some screenshots from Splunk Web for a nearly identical data format here: https://community.s... See more...
As @VatsalJagani said, you are not limited to using delimiters in Splunk field extraction.  I just posted some screenshots from Splunk Web for a nearly identical data format here: https://community.splunk.com/t5/Splunk-Search/Tempory-output-storage/m-p/656753/highlight/true#M226830